Switch Cartridge - Reverse Engineering

Discussion in 'Switch - Hacking & Homebrew' started by smiba, Mar 14, 2017.

  1. smiba
    OP

    smiba Member

    Newcomer
    22
    96
    Mar 11, 2017
    Netherlands
    As promised, the pinout and high quality pictures of the PCB

    For me it looks like a normal NAND chip, however it seems to have a rather odd pinout, that does not match regular TSOP48 NAND chips. It most likely is a 8-bit channel NAND chip though, which should be readable

    (Oh, and the capacitors are 0.2 and 0.1uF. Top to bottom: 0.2uF, 0.1uF, 0.2uF, 0.1uF)

    [​IMG]

    -----

    Pinouts!

    (Blank pins are not connected to anything)
    [​IMG]
    [​IMG]

    To me it looks like Pink is VCC and Dark Blue is GND, but I can't be 100% sure.

    -----

    I won't continue with any kind of reverse engineering, but I hope this pinout helped
     
    Last edited by smiba, May 1, 2017
    DaMan, rileysrjay, DKB and 59 others like this.


  2. xtheman

    xtheman GBAtemp Guru

    Member
    5,844
    5,264
    Jan 28, 2016
    United States
    *watches thread*
     
    smileyhead and Exavold like this.
  3. zoogie

    zoogie simple pimp tool

    Member
    6,250
    7,918
    Nov 30, 2014
    United States
    Zacchi4k, Chizko and smiba like this.
  4. Robert McCoy

    Robert McCoy GBAtemp Fan

    Member
    378
    84
    Apr 9, 2015
    United States
    Holy shit, this is being done already?! Nice work! This looks interesting, I'll be keeping an eye out for this.
     
  5. smiba
    OP

    smiba Member

    Newcomer
    22
    96
    Mar 11, 2017
    Netherlands
    Very, very intresting.

    Custom chip with the pads for the switch directly attracted to the back?
     
  6. KingpinSlim

    KingpinSlim Newbie

    I don't really think it would be all that challenging to develop a Switch flashcart that offers more features than a real cartridge.

    What i worry about is, how can you improve on the flavor?
    The original is already quite pungent, but could you somehow make it even stronger?

    These thoughts keep me up at night.
     
  7. EpicLPer

    EpicLPer Nice unless you give me a reason to hate you ;)

    Member
    923
    599
    Mar 13, 2015
    Austria
    Austria
    Is that seriously just a flash memory with contacts? Or a custom chip?
     
  8. smiba
    OP

    smiba Member

    Newcomer
    22
    96
    Mar 11, 2017
    Netherlands
    Well, thats where you're wrong haha. There is a lot that needs to happen and to be figured out before one can develop a flashcart.

    This is just the first, get to know what you're copying before you're going to copy it. I highly doubt flashcarts will be available in the next 12 months
     
    DayVeeBoi and Zacchi4k like this.
  9. xile6

    xile6 GBAtemp Maniac

    Member
    1,183
    303
    Jan 15, 2006
    United States
    hum maybe thats why my zelda makes noise when i shake it lol.

    I think it will be a bit hard to dump these games. Seems like there might be alot of different type of chips in them
     
  10. Dark-Sider

    Dark-Sider Member

    Newcomer
    27
    5
    Jul 17, 2009
    Gambia, The
    I would assume the following things:
    a) the Chip hase some kind of CPU-Protection (like a SIM-Card or pay-tv card) only giving away its contents after being challenged with the right secret.

    b) Dumping the contents bye tapping into an "unlocked" chip after inserting it into the console wouldn't do anything good, because the switch will be looking for the CPU on the flash cart confirming its authenticity. Dumping the CPU-Microcode of those devices is proven to be hard but not impossible.
     
    DayVeeBoi, pelago and JimmyZ like this.
  11. KingpinSlim

    KingpinSlim Newbie

    I don't know anything about the engineering-work behind it, but i can tell you one thing.

    Use Bitrex. Easily available and a fairly superior bittering agent compared to the weak stuff Nintendo uses.
     
  12. EpicLPer

    EpicLPer Nice unless you give me a reason to hate you ;)

    Member
    923
    599
    Mar 13, 2015
    Austria
    Austria
    I doubt they went trough all this trouble after doing stuff like including partition names into the flash storage of the Switch lol
     
  13. DoJo_Master

    DoJo_Master GBAtemp Advanced Fan

    Member
    605
    154
    May 7, 2013
    Canada
    These are the kind of posts I want to see! Research and development, AKA progress!
     
    DayVeeBoi likes this.
  14. smiba
    OP

    smiba Member

    Newcomer
    22
    96
    Mar 11, 2017
    Netherlands
    I don't think this is the case, but I guess time will tell. Adding CPU-Protection and stuff really adds up on production costs when you make millions of them.

    Impossible? No, definitely not.
    Unlikely? Yes.

    Anyways right now I'm probably going to design a PCB for the switch where I can solder a bunch of wires on to debug anything thats happening on there, sounds like the most flexible solution on getting to know the cartridge a bit better
     
    DoJo_Master likes this.
  15. Dark-Sider

    Dark-Sider Member

    Newcomer
    27
    5
    Jul 17, 2009
    Gambia, The
    That's just basic security 101. The interesting partitions on the switch's flash are encrypted and protected bye a secure area inside the cpu. Dumping a flash is something you take for granted today. Just look at all those mobile phone chip-off forensic kits that are out there.

    I would put my ass on the line that the flash-cart and the switch do some kind of mutual authorization checks before any accepts the other one. Otherwise we would be in the era of GB or NES security ;-)

    If the switch flash cart would only by some kind of flash-memory, the appearance of sky-3ds-style carts would only be a matter of weeks - months tops.

    I'm not that deep into the 3ds flash cart security but I'd guess that emulating a 3ds flash cart was only possible after the initial 3ds firmware breach, so an emulation to the 3ds-cart-security could be developed.

    But it's always the same (as it is with PayTV) once you give your "secret" into customer's hand they will "hack" it sooner or later.

    bye
    Darky
     
    Last edited by Dark-Sider, Mar 14, 2017
    DayVeeBoi likes this.
  16. smiba
    OP

    smiba Member

    Newcomer
    22
    96
    Mar 11, 2017
    Netherlands
    Mobile phones just use normal NAND or eMMC memory, there is nothing special about it. Difference is that they often have parts on the drives that the system marked as removed but aren't actually erased yet. Some forensic kits make use of this to recover removed data
    Also most phones are encrypted, but for this it doesn't matter if the cartridge is encrypted. The final goal is to copy it, not to modify it.

    The hardest part is developing like a GUI, because for this you would need to be able to run unsigned code. The Switch doesn't just accept any kind of code on the cartridge (Most likely), it would need to be signed by Nintendo.
    Copying cartridges has always been done in just months, making a flash cart that noobs can use is the part that takes the longest ;)
     
  17. Dark-Sider

    Dark-Sider Member

    Newcomer
    27
    5
    Jul 17, 2009
    Gambia, The
    I know my fair share of mobile forensics and chip off since this part of my line of work (no not for .gov). What I wanted to say was, that dumping a soldered NAND chip was way more difficult a few years ago than it is now - with plug-and-play solutions all over the place. Right now dumping a flash chip is basically as easy as extracting a SATA-HDD and creating a physical copy - as long as you have the right tools readily available.

    So if I was a developer I would assume that my NAND contents would be dumped on day1 if not day0. So this can't be a valid thing my strategy keeping my device secure.

    To just go back to smartphones: Chip-Off was primarily used to circumvent PIN or Patternlocks on unencrypted devices. Devices that use strong passwords with state of the art encryption - you'll just find "random" data on the NAND (maybe except the phone-os-partition and sometimes the emulated SD-Card)

    My reply was also not about the flash card but on EpicLPer's statement about the switch NAND being dumped and having partiton names in it. Again good security comes not from hiding anything but making it nearly impossible to break it even when you exactly know how it works.


    I also now my fair share about code signing and modern security architectures. So GUIs like we had on GBA or DS flash carts won't be available any time soon (I guess). Having a cart that would just behave like a sky3ds would sell like hell. So if it could be done it will be done. The main goal of those carts is piracy - and getting unsigned / self signed code running on the system to display your own GUIs - at this point the switch would be hacked wide open so carts would be obsolete again.

    My guess is that even providing a 1:1 copy of a flash cart is more difficult then getting some kind of code execution on the switch itself.

    Another guess will be that the communication between the cart and the switch will be encrypted as well.

    Was there really a 1:1 copy of a 3ds game just months after the release? I always thought the first team that accomplished this was sky3ds. The other carts like Gateway relied on firmware bugs / exploits...

    However, keep up your good and contributing work - I'm very curious what your findings will be!

    bye,
    Darky
     
    Last edited by Dark-Sider, Mar 14, 2017
    pelago likes this.
  18. Jacklack3

    Jacklack3 ( ゚ヮ゚) buddie was here

    Member
    1,494
    1,921
    Oct 6, 2015
    Canada
    In your basement Dick Size: 5 meters.
    checkmate athei- oh wait i made that joke before
     
  19. iAqua

    iAqua feel the... envy.

    Member
    GBAtemp Patron
    iAqua is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    2,720
    2,213
    Dec 7, 2015
    Canada
    Amazing work!
     
  20. smiba
    OP

    smiba Member

    Newcomer
    22
    96
    Mar 11, 2017
    Netherlands
    .3ds roms were online way before anyone made an emulator or working flash cart, dumping is easier then getting them to run again.

    Thanks for your comment and I'll keep everyone posted

    Thanks!